CVE-2004-0114
CVSS4.6
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:41:01
NMCOEPS    

[原文]The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges.


[CNNVD]BSD Kernel SHMAT系统调用权限提升漏洞(CNNVD-200403-037)

        
        BSD系统中的shmat(2)函数映射一个或多个进程/线程共享内存段中,之前可通过shmget(2)函数建立。
        shmat(2)系统调用存在编程错误,可导致共享内存段参考计数器错误的增长,可能造成权限提升。
        这个函数在sysv_shm.c文件中实现:
         -- sysv_shm.c lines 317-322 --
         vm_object_reference(shm_handle->shm_object);
         rv = vm_map_find(&p->p_vmspace->vm_map,
         shm_handle->shm_object,
         0, &attach_va, size,
         (flags & MAP_FIXED) ? 0 : 1,
         prot, prot, 0);
         if (rv != KERN_SUCCESS) return ENOMEM;
         -- end of code snippet --
        shmat(2)函数开始增加下面的vm_object的参考计数,然后尝试插入vm_object到进程地址空间。问题是由于shmat(2)函数在当vm_map_find函数返回失败时忘记递减参考计数值。
        此漏洞可以被本地用户利用:
        可以使用shmget(2)函数建立共享内存段,和使用shmat(2)函数在进程地址空间中建立两个不同地点的映射。
        在经过大约2^32-2(非法)调用shmat(2)函数,vm_object的参考计数值会变为1。
        在使用shmdt(2)函数删除一个映射后,vm_object会释放,不过我们会拥有一个额外的映射。然后利用欺骗执行一个会重用释放了的vm_object堆栈段的SUID进程,这时候就可以直接写SUID程序的堆栈段,并方便的提升权限。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:1.3NetBSD 1.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0114
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0114
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-037
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-04:02
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-004.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2004-004
http://marc.info/?l=bugtraq&m=107608375207601&w=2
(UNKNOWN)  BUGTRAQ  20040205 [PINE-CERT-20040201] reference count overflow in shmat()
http://www.openbsd.org/errata33.html#sysvshm
(UNKNOWN)  CONFIRM  http://www.openbsd.org/errata33.html#sysvshm
http://www.pine.nl/press/pine-cert-20040201.txt
(UNKNOWN)  MISC  http://www.pine.nl/press/pine-cert-20040201.txt
http://www.securityfocus.com/bid/9586
(VENDOR_ADVISORY)  BID  9586
http://xforce.iss.net/xforce/xfdb/15061
(VENDOR_ADVISORY)  XF  bsd-shmat-gain-privileges(15061)

- 漏洞信息

BSD Kernel SHMAT系统调用权限提升漏洞
中危 设计错误
2004-03-03 00:00:00 2005-05-13 00:00:00
本地  
        
        BSD系统中的shmat(2)函数映射一个或多个进程/线程共享内存段中,之前可通过shmget(2)函数建立。
        shmat(2)系统调用存在编程错误,可导致共享内存段参考计数器错误的增长,可能造成权限提升。
        这个函数在sysv_shm.c文件中实现:
         -- sysv_shm.c lines 317-322 --
         vm_object_reference(shm_handle->shm_object);
         rv = vm_map_find(&p->p_vmspace->vm_map,
         shm_handle->shm_object,
         0, &attach_va, size,
         (flags & MAP_FIXED) ? 0 : 1,
         prot, prot, 0);
         if (rv != KERN_SUCCESS) return ENOMEM;
         -- end of code snippet --
        shmat(2)函数开始增加下面的vm_object的参考计数,然后尝试插入vm_object到进程地址空间。问题是由于shmat(2)函数在当vm_map_find函数返回失败时忘记递减参考计数值。
        此漏洞可以被本地用户利用:
        可以使用shmget(2)函数建立共享内存段,和使用shmat(2)函数在进程地址空间中建立两个不同地点的映射。
        在经过大约2^32-2(非法)调用shmat(2)函数,vm_object的参考计数值会变为1。
        在使用shmdt(2)函数删除一个映射后,vm_object会释放,不过我们会拥有一个额外的映射。然后利用欺骗执行一个会重用释放了的vm_object堆栈段的SUID进程,这时候就可以直接写SUID程序的堆栈段,并方便的提升权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * FreeBSD系统建议用户采用如下方法,不过此方法会引起依靠共享内存X Windows系统不稳定或失败:
        1)通过如下步骤关闭System V共享内存接口:
        -在内核配置文件中注释掉`SYSVSHM',然后按照如下方法重新编译内核:
        
        http://www.freebsd.org/handbook/kernelconfig.html

        -在/boot/loader.conf和/etc/rc.conf文件中注释`sysvshm'。
        - 在FreeBSD 5.x系统中,System V共享内存支持通过kld(4)提供,为了绝对安全,删除任何在/modules中 `sysvshm.ko'命名的文件。
        -重新启动机器。
        2)配置System V共享内存参数,使新的共享内存段不能建立,使用共享内存终止所有进程,删除所有存在的共享内存段,运行如下命令:
        # sysctl -w kern.ipc.shmmax=0
        # echo 'kern.ipc.shmmax=0' >> /etc/sysctl.conf
        # ipcs | awk '/^m/ { print $2 }' | xargs -n 1 ipcrm -m
        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-04:02)以及相应补丁:
        FreeBSD-SA-04:02:shmat reference counting bug
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc
        补丁下载:
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch.asc

- 漏洞信息 (23655)

BSD Kernel SHMAT System Call Privilege Escalation Vulnerability (EDBID:23655)
bsd local
2004-02-05 Verified
0 Joost Pol
N/A [点击下载]
source: http://www.securityfocus.com/bid/9586/info

A vulnerability has been reported to reside in the 'shmat()' system call used in the BSD kernel. Exploiting this issue may allow a local attacker to inject instructions into the memory of a privileged process.

http://www.exploit-db.com/sploits/23655.tar.gz		

- 漏洞信息 (F50623)

flokken-0.1-whore.tar (PacketStormID:F50623)
2006-10-04 00:00:00
PoWeR PoRK  
exploit,kernel,local
freebsd
CVE-2004-0114
[点击下载]

FreeBSD 5.2 and prior shmat local kernel exploit.

- 漏洞信息

3836
Multiple BSD shmat() Privilege Escalation
Local Access Required Infrastructure
Loss of Integrity

- 漏洞描述

BSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when two separate mappings are created with shmat(2) to a shared memory segment created with shmget(2). If shmat(2) is abused and then one of the mappings delected with shmdt(2) the vm_object will continue to map to the shared memory segment. An suid binary may reuse the vm_object and allow the (non-root) user to write directly to the stack segment of the suid binary. This flaw may lead to a loss of integrity of the system.

- 时间线

2004-02-05 2004-02-01
Unknow Unknow

- 解决方案

Upgrade to the current slice the BSD distribution as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing vendor supplied patches.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
Design Error 9586
No Yes
2004-02-05 12:00:00 2006-10-05 06:40:00
The disclosure of this issue has been credited to Joost Pol of Pine Digital Security.

- 受影响的程序版本

OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
NetBSD NetBSD current pre20010805
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6 beta
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5 x86
NetBSD NetBSD 1.5 sh3
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 SPARC
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.1 sh3
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4 x86
NetBSD NetBSD 1.4 SPARC
NetBSD NetBSD 1.4 arm32
NetBSD NetBSD 1.4 Alpha
NetBSD NetBSD 1.4
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
NetBSD NetBSD current pre20010701
NetBSD NetBSD Current
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
FreeBSD FreeBSD 3.5.1 -STABLE
FreeBSD FreeBSD 3.5.1 -RELEASE
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.5 x
FreeBSD FreeBSD 3.5 -STABLEpre122300
FreeBSD FreeBSD 3.5 -STABLEpre050201
FreeBSD FreeBSD 3.5 -STABLE
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4 x
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3 x
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2 x
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1 x
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0 -RELENG
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2 x
FreeBSD FreeBSD 2.2

- 漏洞讨论

A vulnerability has been reported to reside in the 'shmat()' system call used in the BSD kernel. Exploiting this issue may allow a local attacker to inject instructions into the memory of a privileged process.

- 漏洞利用

The following exploit is available:

- 解决方案

FreeBSD has released an advisory with patches to address this issue. Please see the referenced advisory for details.

OpenBSD has released patches for versions 3.3 and 3.4.

NetBSD has released advisory 2004-004 dealing with this issue.


OpenBSD OpenBSD 3.4

OpenBSD OpenBSD 3.3

NetBSD NetBSD 1.6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站